FortiGate: Software-/ Hardware-/ VLAN-Switch

I am still a bit confused about the different switch types a FortiGate firewall is able to handle. While there are a lot of information on the Internet about the “internal-switch-mode” of “switch/interface“, I have not found any good information about the differences between the “Hardware/Software/VLAN” switch types that are configured via the GUI or via the “virtual-switch-vlan enable” CLI command. Though I still don’t know exactly all differences, I am trying to explain some of them here.

Possibilities

This table lists the possible switch types. The first column shows the configured switch mode (
setinternal-switch-mode{interface|switch} ), the second is the VLAN switch mode (
setvirtual-switch-vlan{enable|disable} ), and the last column shows the possible switch types that can be configured within these scenarios (software, hardware, VLAN):

Switch Mode
set internal-switch-mode ...

VLAN Switch Mode
set virtual-switch-vlan ...

Switch Types

switch

disable

Software Switch

switch

enable

Software Switch

interface

disable

Hardware Switch
Software Switch

interface

enable

VLAN Switch
Software Switch

Mode: Switch or Interface

This is explained on many pages on the Internet and even on some official Fortinet documentations such as here. Mostly, you want the “interface” mode in which you can configure every interface on a FortiGate to be an unique layer-3 interface. Currently, when a FortiGate is factory reset, the default is “interface” mode:

1

2

config system global

set internal-switch-mode interface

Type: Software, Hardware, or VLAN

Now it’s getting a bit more interesting. As we have seen already, the software switch is present in any scenario, while the other ones are only possible in the “interface” mode. In any case, each created switch type must be configured with an IP address.

Software Switch: This is a logical (!) bound of interfaces of different types. It can be used if physical interfaces and WiFi interfaces/SSIDs/etc. should be bound together. (I am not sure, but it sounds like this switch type is controlled merely by the CPU. Maybe it’s not that fast compared to the hardware switch?)

Hardware Switch: A hardware switch bounds hardware interfaces together that are physically present on the same integrated switch. This is hardware dependent. Not all FortiGate firewalls can be configured in the same way for hardware switches.

VLAN Switch: This is a type of hardware switch that adds the VLAN ID to it. With this feature it is possible to create a hardware switch within an already present VLAN on the network. This VLAN can be connected through another interface port in trunk mode to transport this VLAN to some other layer-2 switches.

I hope this bring a bit more understanding? Please write a comment if I missed something or explained something wrong.